版權說明:本文檔由用戶提供并上傳,收益歸屬內容提供方,若內容存在侵權,請進行舉報或認領
文檔簡介
WHITEPAPER
Akamai
APISecurity
Fundamentals:
BuildYourKnowledge,SecuretheEnterprise
|2
Akamai
Introduction
APIshaveevolvedrapidlyfromanimplementationdetailtoastrategicenablerofdigitalinnovation.Everytimeacustomer,partner,orvendorengageswithabusinessdigitally,there’sanAPIbehindthescenesfacilitatingaseamlessdataexchange.
AsAPIsproliferate,sodotheirrisks.Intheracetoquicklycreateandreleasenew
applicationsandAI-enhancedservices,theunderlyingAPIsaretoooftenmisconfigured,lackinginsecuritycontrols,andvulnerabletoeasilyexecutedattacks.
Asaresult,APIshaveemergedasatopattackvector,leavingmanysecurityteamstoplaycatch-upwiththeirAPIsecuritystrategies.Therefore,APIsecurityisquickly
emergingasatopstrategicpriorityforITandsecurityexecutives.
Whetheryou’relookingtogroundyourselfinAPIsecuritybasicsorareassemblingalistoftherightquestionstoask,thisguideoffersthedetailsyouneedtoknow,including:
?ThedifferenttypesofAPIs
?WhatAPIsecuritymeansforbusinessestoday
?BestpracticesforaddressingAPIsecurityrisks
?CommonAPIattackandabusemethods
ITogodirectlytoAPIsecuritybestpractices,youcanskipaheadtopage10.
|3
Akamai
TableofContents
APIbasics
4–9
APIsecurityexplained
10–12
APIsecurityrisksandabuse
13–18
APIsecuritysolutionsandtrends
19–22
Akamai
APIbasics
WhatisawebAPI?
Awebapplicationprogramminginterface,orAPI,consistsofoneormoreendpointsofa
definedrequest–responsemessagesystem,typicallyexpressedinJSONorXML,whicharepubliclyexposedviatheweb—mostcommonlybymeansofan
HTTP-basedwebserver
.
Inotherwords,awebAPIiswhatmostpeoplethinkofwhentheyhear“API.”It’sa
collectionofendpoints.Endpointsconsistofresourcepaths,theoperationsthatcanbeperformedontheseresources,andthedefinitionoftheresourcedata(inJSON,XML,Protobuf,oranotherformat).
WebAPIsaredifferentfromotherAPIs,suchasthoseexposedbytheoperatingsystemorbylibrariesofapplicationsrunningonthesamemachine,butthegeneralterm“API”usuallyreferstoa
HTTP-based
(web)API,especiallyinthecontextofenterprisedigitaltransformationandAPIsecurity.
WhatarethemostcommontypesofAPIs?
Thefollowingtablecontainstermsthatrefertodifferentusagemodelsandtechnical
approachesforAPIimplementations.WebAPIsaredefinedasbeingbasedon
HTTP
,andthefourmaintypesofwebAPIsseentodayareRESTful,SOAP,GraphQL,andgRPC.
Thetabledefinesthesecommontypes,aswellasothers.
|4
Akamai
|5
APIusagemodelDescription
PublicAPI
AnAPIthatismadeavailableandsharedfreelywithalldevelopersviatheinternet
ExternalAPI
OftenusedinterchangeablywithpublicAPI;thesetypesofAPIsareexposedtotheinternet
PrivateAPI
AnAPIthatisimplementedinaprotecteddatacenterorcloudenvironmentforusebytrusteddevelopers
InternalAPI
OftenusedinterchangeablywithprivateAPI
Third-partyAPI
Providesprogrammaticaccesstospecializedfunctionality
and/ordatafromathird-partysourceforuseinanapplication
PartnerAPI
Atypeofthird-partyAPIthatismadeavailableselectivelytoauthorizedbusinesspartners
AuthenticatedAPI
AnAPIthatisonlyaccessibletodeveloperswhohavebeengrantedaccess(orthreatactorswhohavegained
unauthorizedaccesstocredentials)
UnauthenticatedAPI
AnAPIthatcanbeaccessedprogrammaticallywithouttheneedforspecificcredentials
HTTPAPI
AnAPIthatusesthehypertexttransferprotocolasacommunicationprotocolforAPIcalls
Akamai
|6
RESTfulAPI
GraphQL
Representationalstatetransfer(RESTful)isthemostcommontypeofwebAPIthatusesplaintext,HTML,XML,YAML,or
JSONtodeliverdata;RESTfulAPIsareeasytoconsumeby
modernfront-endframeworks(e.g.,ReactandReactNative)andfacilitatewebandmobileapplicationdevelopment;theyhavebecomethedefactostandardforanywebAPI,includingthoseusedforB2B
GraphQLAPIsarethenewer,Facebook-developedstandardthatprovidesdatabaseaccessoverasinglePOSTendpoint(typically/graphql);itsolvesacommonRESTfulAPIproblem—thatofrequiringmultiplecallstopopulateasingleuser
interfacepage
SOAP
XML-RPC
gRPC
SOAPusestheverboseeXtensibleMarkupLanguage(XML)forremoteprocedurecalls(RPCs).ItcanstillbefoundinlegacyAPIs
XML-RPCisamethodofmakingprocedurecallsovertheinternetthatusesacombinationofXMLforencodingand
HTTPasacommunicationsprotocol
gRPCAPIsareaGoogle-developed,high-performancebinaryprotocolover
HTTP/2.0andareusedmostlyforeast-west
(withininternalnetwork)communication
OpenAPI
OpenAPIisadescriptionanddocumentationspecificationforAPIs.ItmaybehelpfultoknowthatthetermSwaggerreferstotheoriginalspecification,andOpenAPIreferstotheopen
standarddevelopedbytheOpenAPIInitiative
|7
WhatisthedifferencebetweenAPIsandendpoints?
Peopleoftenuse“API”whentheyarereallyreferringtoasingleAPIendpoint.APIs,
sometimescalledservicesorAPIproducts,arecollectionsofendpointsthatservea
businessfunction.Anindividualendpoint,ontheotherhand,isaresource(orresourcepath,alsoknownasaURIoruniformresourceidentifier)alongwiththeoperation
performedonit(create,read,update,ordelete).InRESTfulAPIs,operationsaretypicallymappedtothe
HTTPmethods
(POST,GET,PUT,andDELETE).
Whatisanorth-southAPI?
TheseareAPIsthatanorganizationleavesaccessibletotheoutsideworld,primarilytoconductbusinesswithitsbusinesspartners.ThisiscalledAPIexposure.Forexample:
BanksembracingopenbankingmayexposetheirdatatootherfintechorfinancialservicesorganizationsviaAPIs.
HealthcareorganizationsmayexposepatientrecordstoinsurancecompaniesandothermedicalorganizationsviaAPIs.
HospitalityorganizationsmayexposetheirreservationsystemstotravelagentsoraggregatorsviaAPIs.
APIsaretheconnectivetissuethatallowsdisparateorganizationstoexchange
data.North-southAPIsareoftenconsideredsafebecauseaccessisauthorizedandauthenticated.Typically,thisisthefastest-growingandlargestvolumeofAPIs,
andconsequently,itisthelargestattacksurfaceformostorganizations.
Whatisaneast-westAPI?
TheseareAPIsthatanorganizationusesinternallyandshouldnotbeaccessibleto
anyoneoutsidethebusiness.TheseAPIsconnectinternalapplicationsorbusinessunitsordepartments.Itispossibleforadevelopertomakeamistakethatmakeseast-westAPIsaccessiblebyaccident.TheseAPIsarenotmeanttobeaccessibleorevenknownbyexternalentities,butbreachesdohappenwhenthreatactorsfindeast-westAPIs
accessibleviatheinternet.
|8
WhatarethedifferencesbetweenB2CAPIsandB2BAPIs?
Business-to-consumer(B2C)APIspowerwebandmobileapplications.Theyaretypicallyconsumedbymodernfront-endclientstoallowauthenticatedendusersaccesstothecompany’sbusinessfunctionality.
Business-to-business(B2B)APIsareofferedbytheorganizationtootherorganizationstoconductbusinessandsometimestoprovidevaluetojointcustomers.
B2BAPIshelpstreamlinehowanenterpriseworkswithitssuppliers,resellers,andotherpartnersandhowitprovidesbetterexperiencestoitscustomers.
ExamplesofB2BAPIsinclude:
Openbanking
APIs
Supplychain
managementAPIs
Electronic
invoicingand
payments
betweentrading
partners
SincetheconsumersoftheAPIsdiffergreatly,thesecuritycontrolsavailablefor
protectingtheseAPIsalsovary.TheindustryhasbeenfocusedonB2Cusecasesuntil
fairlyrecently,buteventhere,thefocushasnotbeenonsecuringB2CAPIsbutratheronsecuringwebapplications.Thesecuritytoolsandcontrolstypicallyemployedfor
securingB2Cwebapplicationsoffercertainbenefits(e.g.,webapplicationfirewall[WAF]/webapplicationandAPIprotection[WAAP])butcannotprovidethedegreeofvisibility,
real-timemonitoring,andprotectionrequiredforsecuringB2CAPIsfromattacks.
ProtectingB2BAPIsisbecomingincreasinglychallenging.TheseAPIsareofteneasiertargetsforattackersbecausetheyfrequentlylackessentialprotectionmechanisms.
EarlierAPIsecuritytoolshadlimitedvisibilityintoB2BAPIsandstruggledtosecureAPIsthatfacilitatedbulkdataaccessonbehalfofsharedusers(asseeninopenbanking,
wherefintechcompaniesandfinancialinstitutionsconsensuallysharecustomerdata).However,newerAPIsecuritysolutionsofferbehavioralanalyticsandcanrecognize
anomalousactivities,effectivelyaddressingtheseconcerns.
Akamai
WhatarethedifferencesbetweenprivateAPIsandpublicAPIs?
PrivateAPIs,sometimesalsocalledinternalAPIs,areintendedtobeusedbythecompany’sdevelopersandcontractors.Oftenapartofaservice-orientedarchitecture(SOA)initiative,privateAPIsaremeanttostreamlineinternaldevelopmentbyenablingdifferent
departmentsorbusinessunitstoaccesseachother’sdataefficientlyandeffectively.
Bycontrast,publicAPIs,alsoknownasexternalAPIs,areexposedtoconsumersfromoutsidethecompany.Intheirmostextrememanifestation,asopenAPIs,theycanbefreelyconsumedbyanyone.Inallcases,theyrequiretightmanagementandgreat
documentationsotheycanbeusedbyengineersoutsidethecompany.
It’simportanttonotethatprivateAPIsthatcanbeaccessedovertheinternetarenot
reallyprivateinthestrictsenseoftheword.Forexample,let’ssayACME’sB2CAPIis
usedonlybyACMEmobileapps(developedinhousebyACMEengineers).YoumaybetemptedtocallthisaprivateAPI,butsincethetraffictothisAPIarrivesfromtheinternet(outsidethecompany),thisAPIisnotreallyprivate—itissimplyunpublishedtoexternalaudiences.HackersattacksuchAPIsregularlybyinterceptingtrafficandbyreverse
engineeringmobileappstofindtheircorrespondingAPIs.
|9
Akamai
APIsecurityexplained
WhatisAPIsecurity?
APIsecurityisastrategyforgainingvisibilityinto,rigorouslytesting,andprotectingeveryAPIacrossanenterprise.ThisincludesAPIsthatareintegraltoapplications,business
processes,andcloudworkloads.However,becausebothinternalandexternalAPIsare
beingproducedsorapidlyandinsuchlargenumbers,itcanbedifficulttohavea
completeunderstandingofyourorganization’sentireAPIlandscape.ManyorganizationslackvisibilityintohowmanyAPIstheyactuallyhaveandwhichAPIsreturnsensitivedatawhencalled.IdentifyingandmitigatingAPIsecurityrisksrequiresecuritycontrolsthataresophisticatedenoughtoprovidethiskindofvisibilityanddataanalysis.TheAPIsthat
needprotectionmayinclude:
?APIsthatmakedataeasilyaccessiblebycustomersorbusinesspartners
?APIsconsumedfrombusinesspartners
?APIsthatareimplementedandusedinternallytomakeapplicationfunctionalityanddataavailabletovarioussystemsanduserinterfacesinastandardizedandscalablemanner
AneffectiveAPIsecuritystrategymustincludesystematictechniquesforassessingriskandpotentialimpactaswellasexecutingappropriatemitigationmeasures.ThefirststepinassessingriskisbuildinganinventoryofallsanctionedandunsanctionedAPIs
publishedandusedbytheorganization.Thisinventoryshouldincludeattributessuchas:
?Dataclassifications,whichataminimumdistinguishbetween“notsensitive,”“sensitive,”and“verysensitive”data
?Riskindicators,suchasAPIvulnerabilitiesandmisconfigurations
|10
Akamai
|11
Additionally,APIvisibilityandriskmitigationmeasuresmustconsideradiversecollectionofpossiblethreats,including:
?DetectingandpreventingtheuseofunsanctionedshadowAPIs(seesidebar)
?IdentifyingandremediatingAPIvulnerabilitiesand
misconfigurationsthatthreatactorscouldpotentiallyexploit
?PreventinginstancesofAPImisuse,suchasbusinesslogicabuseanddatascraping
HowisAPIsecuritydifferentfromapplicationsecurity?
WhileAPIsecurityandtraditionalapplicationsecurityarerelateddisciplines,APIsecurityisadistinctchallengefortwokeyreasons—thescaleandcomplexityoftheproblem.
Greaterscale
ThreefactorscontributetotherapidgrowthofAPIuse:
1.Theuseofmicroservices,anarchitecturethatmandatestheuseofAPIsforservice-to-servicecommunication,isgrowing.
2.Inthedirect-userchannel,modernfront-endapplication
frameworkssuchasReact,Angular,andVueuseAPIsandaredisplacinglegacywebapps.
3.APIsareaddedtoaddresscompletelynewchannelsaswell(e.g.,partners,IoT,andbusinessautomation).
Flexibilityleadingtocomplexity
Unlikewebapplications,APIsaredesignedtobeused
programmaticallyinmanydifferentways,whichmakesdifferentiatinglegitimateusagefromattacksandabuseextremelychallenging.
Thefollowingarecommon
categorizationsanddescriptionsofAPIsthatmaycomeupinasecuritycontext.
SanctionedAPIs
PublishedAPI(withSwaggerdocumentationorsimilar)
UnsanctionedAPIs
?ShadowAPI
?RogueAPI
?ZombieAPI
?HiddenAPI
Out-of-dateAPIs
?DeprecatedAPI
?LegacyAPI
?ZombieAPI
?OrphanedAPI
IsthereanAPItaxonomythatsecurityteams
shouldunderstand?
Akamai
StagesofAPIsecuritymaturity
Stage1:Visibilityanddiscovery
YouareintheprocessofdiscoveringallyourAPIsandthemicroservicestheysupportbyusingan
automatedapproach.Breadthofcoverageis
critical,asoverlookedAPIs(suchasthoseno
longerinuse)areaprimetargetforthreatactors.
Stage2:Testing
YoutestallyourAPIstoensurethattheyarecodedcorrectlyandthattheyperformtheirintended
function.TestingperformedpriortodeployinganAPIistheupperendofthismaturitystage;riskiseliminatedbeforetheAPIgoesintoproduction,
andanyneededfixisexponentiallylessexpensive.
Stage3:Riskaudit
YoucontinuallyaudityourentireAPIenvironmenttoidentifymisconfiguredAPIsorothererrors.Yourauditalsoensuresadequatedocumentationof
everyAPIanddetermineswhethertheycontain
sensitivedataorlackappropriatesecuritycontrols.
Stage4:Runtimeprotection
Youareusingasolutionwithautomatedruntimeprotection,whichcandifferentiatebetweennormalandabnormalAPIactivity.BymonitoringAPI
interactionsthisway,you’reabletodetectbehaviorsindicatingathreatinrealtime.
Stage5:Response
Youhavesolutionsinplacetorespondto
suspiciousAPIbehavior,suchasaWAForAPI
gatewaythatblockssuspicioustrafficbeforeitcanaccesscriticalresources.Yoursolutionsuse
customized,automatedrules.
Stage6:Huntforthreats
Youregularlyperformforensicanalysisonpastthreatdatatolearnwhetheralertscorrectlyidentified
threatsandwhetherpatternsemergedthatenableproactivethreathuntingusingacombinationofsophisticatedtoolsandhumanintelligence.
WhatarethebestpracticesforprotectingAPIs?
EnhancingyourAPIsecuritystartswiththefollowingbestpractices:
?IntegrateAPIsecuritystandardsandpracticeswithyourorganization’ssoftwaredevelopmentlifecycle.
?IncorporateAPIdocumentationandautomatedsecurity
testingintoyourcontinuousintegration/continuousdelivery(CI/CD)pipelines.
?EnsurethatappropriateandeffectiveauthenticationandauthorizationcontrolsareappliedtoyourAPIs.
?ImplementratelimitingmeasurestohelppreventAPIsfrombeingabusedoroverwhelmed.
?Augmentratelimitingandotherapplication-levelmeasureswithspecializedgatewaysand/orcontentdeliverynetworksto
mitigatetheriskofdistributeddenial-of-service(DDoS)attacks.
?MakeAPIsecuritytestinganintegralpartofyourbroaderapplicationtestingprocesses.
?PerformcontinuousdiscoveryofAPIs.
?Implementasystematicapproachforidentifyingand
remediatingcommonAPIvulnerabilities,includingtheOWASPTop10APISecurityRisks.
?Usesignature-basedthreatdetectionandpreventionasabaselinelevelofprotectionagainstknownAPIattacks.
?Augmentsignature-baseddetectionwithAIandbehavioral
analyticstomakeAPIthreatdetectionmorescalable,
accurate,businessrelevant,andresilientagainstnovelthreats.
?EnsurethattheAPIsecuritymonitoringandanalysisprocessextendsovermultipleweeksandAPIsessions.
?ComplementAPIsecuritymonitoringandalertingwithon-demandaccesstoAPIinventoryandactivitydataforusebythreathunters,developers,DevOps,andsupportpersonnel.
YourabilitytoimplementtheseAPIsecuritybestpractices
dependsonwhereyouareinyourjourneytowardamatureAPIsecuritystrategy(seesidebar).
|12
|13
Akamai
APIsecurityrisksandabuse
WhatisanAPIvulnerability?
AnAPIvulnerabilityisasoftwarebugorsystemconfigurationerrorthatanattackercanexploittoaccesssensitiveapplicationfunctionalityordataorotherwisemisuseanAPI.TheOWASPTop10APISecurityRisksofferausefuloverviewofsomeofthemostwidelyabusedAPIvulnerabilitiesthatorganizationsshouldattempttoidentifyandremediate.
AreallAPIvulnerabilitiestrackedontheOWASPTop10APISecurityRisks?
TheOWASPAPISecurityTop10isanexcellentstartingpointfororganizationsseeking
toimprovetheirAPIsecurityposture.ItscategoriescoverawiderangeofpossibleAPIrisks.ButthecategoriesincludedinOWASPAPISecurityTop10arequitebroad,soit’simportanttodrilldowntothesub-areasforeachone.APIattackersfrequentlyattempttoexploit
authorizationissues(coveredbyOWASPextensively),buttherearealsoAPIrisksthatfallcompletelyoutsidetheOWASPAPISecurityTop10,suchastheabuseoflogicbugs.
HowcanAPIsbeabused?
APIscanbeattackedandabusedinvariousways,butsomeofthemostcommonexamplesinclude:
?Vulnerabilityexploitation:Technicalvulnerabilitiesinunderlyinginfrastructurecanleadtoservercompromise.ExamplesrangefromtheApacheStrutsvulnerabilities(CVE-2017-9791,CVE-2018-11776)toLog4jvulnerabilities(CVE-2021-44228).
?Businesslogicabuse:Logicabuseiswhenathreatactorexploitsapplicationdesignorimplementationflawstopromptunexpectedandunsanctionedbehavior.ThesescenarioscausestressforCISOsandtheirteamsbecauselegacysecuritycontrolsareuselessagainstthem.
?Unauthorizeddataaccess:AnothercommonformofAPIabuseistheexploitationofbrokenauthorizationmechanismstoaccessdatathatshouldnotbeaccessible.Thesevulnerabilitiescarrymanynames,suchasBrokenObjectLevelAuthorization(BOLA),insecuredirectobjectreference(IDOR),andbrokenfunction-levelauthorization(BFLA).
Akamai
|14
?Accounttakeover:AfteracredentialtheftorevenanXSSattack,anaccountcanbetakenover.Oncethathappens,abuseofeventhemostwell-writtenandperfectly
securedAPIispossible.UsinganAPIsecuritysolutionthatoffersbehavioranalysisallowsyoutodifferentiateauthenticatedactivityfromillegitimateusage.
?Datascraping:AsorganizationsmakedatasetsavailablethroughpublicAPIs,threatactorsmayaggressivelyquerytheseresourcestoperformwholesalecaptureoflarge,valuabledatasets.
?Businessdenialofservice(DoS):Byaskingthebackendtoperformheavytasks,
APIattackerscancauseerosionofserviceoracompleteDoSattheapplicationlayer(averycommonvulnerabilityinGraphQLbutsomethingthatcanhappenwithany
resource-intensiveAPIendpointimplementation).
WhatisazombieAPI?
Drivenbychangingmarketandbusinessrequirements,APIsareinconstantflux.
Asnewendpointimplementationsarereleasedtomeetnewbusinessneeds,fixbugs,andintroducetechnicalimprovements,olderversionsoftheseendpointsaresunset.
Managingthedecommissioningprocessofoldendpointsisnottrivial.Often,endpointimplementationsthatshouldhavebeendeprecatedremainaliveandaccessible—thosearecalledzombieendpoints.
HowcanIfindthevarioustypesofshadowAPIs?
Oneofthewaystoconductenterprise-wideshadowAPIdiscoveryistoingestandanalyzeAPItrafficonyournetwork.ExamplesofAPItrafficsourcesinclude:
Contentdeliverynetworks(CDNs)
APIgateways
WAFs
Kubernetes
clusters
Cloudinfrastructure
Oncerawdatafromallavailablesourcesiscollected,AItechniquescanbeusedto
transformitintoacomprehensiveinventoryofallAPIs,endpoints,andparameters.Fromthere,additionalanalysiscanbeperformedtoclassifytheseelementsandidentify
shadowAPIsthatshouldbeeliminatedorbroughtintoformalgovernanceprocesses.
|15
HowdoyouprotectinternalAPIsandB2BAPIs?
Itreallydependsonthedefinitionof“internal.”SometeamsrefertoAPIsexposedoverthe
internettotheirownorganization’swebandmobileapplicationsas“internalAPIs.”AndwhilethedocumentationfortheseAPIsmayindeedbeaccessibleonlytocompanyemployeesandcontractors,hackershavebecomeadeptatanalyzingappsandreverseengineeringtheAPIsviaappdisassemblytoolkitsandproxiessuchasBurpSuite.
However,if“internalAPIs”aredefinedaseast-westAPIs,whichcannotbeaccessedfromoutsidetheorganization,thenthemainthreatisreducedtoaninsiderthreat.Protect
east-westAPIsandyourB2BAPIslikemostotherAPIs:Startbysecuringthesoftware
developmentlifecycle(SDLC)andcontinuebyensuringaccessisauthenticatedand
authorized.Youcanalsoimplementmanagingquotas,ratelimits,andspikearrests.
Additionally,youcanprotectyourAPIsagainstknownthreatsbyusingWAFs/WAAPs.
ForB2BAPIs,consideraddingstrictauthenticationmechanisms,suchasmTLS,becauseofthesensitiveandoftenbulknatureofthetransactions.
Andforbotheast-westandB2BAPIs,werecommendyouemploybehavioralanalytics,especiallyifyouhavemanyentitiesinvolved,whichmaymaketheprocessof
distinguishingbetweenlegitimateandillegitimatebehaviordifficult.Forexample:
HowdoyouknowiftheAPIcredentialsofaspecificuserhavebeencompromised?
HowwouldyouknowifyourinvoicingAPIisbeingabusedbyapartnerenumeratinginvoicenumberstostealaccountdata?
ProtectionofB2BAPIsandeast-westAPIsrequiresbusinesscontextthatcannotbe
gainedbyanalyzingtechnicalelementslikeIPaddressesandAPItokensalone.Using
machinelearningandbehavioralanalyticstogainvisibilityintobusiness-relevantentitiesistheonlywaytounderstandandmanageriskeffectively.Businesscontextand
historicalbenchmarksfornormaluseofAPIsbyspecificentitieslikeyourusersorpartners—orevenbusinessprocessentities(invoice,payment,order,etc.)—makeitpossibletoseeanomaliesthatwouldotherwisegoundetected.
Akamai
DoAPIgatewaysoffersufficientriskprotection?
ManyorganizationstakingastrategicapproachtoAPIsuseAPIgateways.MostAPI
gatewayshaverichintegratedsecurityfeaturesthatorganizationsshouldtakeadvantageof—firstamongthoseisauthentication(andauthorizationaswell,ifyoucanleverage
OpenIDConnect).However,merelyperformingauthentication,authorization,andquotamanagementattheAPIgatewayisnotsufficientforseveralreasons:
ThediscoverygapofAPIgateways:APIgatewaysonlyhavevisibilityandcontrolovertheAPIsthattheyareconfiguredtomanage,makingthemineffectiveatdetectingshadowAPIsandendpoints.
ThesecuritygapofAPIgateways:APIgatewayscanenforceauthenticationand,tosomedegree,authorizationschemes,buttheydonotinspectpayloads(asWAFsandWAAPsdo),nordotheyprofilebehaviortodetectabuse.
WhatarethemostcommonAPImisconfigurationerrors?
ThenumberofpossibleAPImisconfigurationsisnearlyendless,giventhelargenumberofwaysthatAPIsareused.However,therearesomecommonthemesinmisconfiguration:
Brokenornoauthentication
AuthenticationisfoundationaltosecuringsensitivedatathatismadeavailableviaAPIs.SteponeisensuringthatallAPIscarryingsensitivedatahave
authenticationinplaceinitially.Butit’salsoimportanttoprotectauthenticationmechanismsfrombrute-forceattacks,credentialstuffing,anduseofstolen
authenticationtokensviaratelimiting.MisconfigurationsallowingAPI
consumerstobypassauthenticationmechanismscansometimeshappen,
oftenaroundtokenmanagement(forexample,somenotoriousJWTvalidationissuesornotcheckingthetokenscope).
|16
Akamai
|17
Brokenauthorization
OneofthemostcommonusesofAPIsistoprovideaccesstodataorcontent,includingsensitiveinformation.Authorizationistheprocessofverifyingthat
anAPIconsumeriseligibletoaccessthedatatheyaretryingtoaccess,priortomakingitavailabletothem.Thiscanbedoneattheobjectorresourcelevel(forexample,Icanaccessmyordersbutnotsomeoneelse’s)oratthefunctionlevel(asisoftenthecasewithadministrativecapabilities).Authorizationis
hardtogetrightbecauseofthehighnumberofedgecasesandconditionsandbecauseofthevariousflowsthatAPIcallscantakebetweenmicroservices.Ifyoudon’thaveacentralizedauthorizationengine,yourAPIimplementation
likelyincludessomeofthesevulnerabilities,suchasBOLAandBFLA.
Securitymisconfiguration
Inadditiontotheauthenticationandauthorizationissuesmentionedabove,
therearemanypossibletypesofsecuritymisconfigurations,includinginsecurecommunication(e.g.,failuretouseSSL/TLSortheuseofvulnerablecipher
suites),unprotectedcloudstorage,andoverlypermissivecross-originresource-sharingpolicies.
Lackofresourcesandratelimiting
WhenAPIsareimplementedwithoutanylimitsonthenumberofcallsthatAPIconsumerscanmake,threatactorscanoverwhelmsystemresources,leadingtoservicedegradationorfull-scaleDoS.Attheveryleast,ratelimitsmustbe
enforcedonaccesstoanyunauthenticatedendpoint,withauthentication
endpointsbeingofcriticalimportance—orelsebrute-forceattacks,and
credentialstuffingandcredentialvalidationattacks,aresimplyboundtohappen.
Akamai
WhatareAPIattacks?
APIattacksareattemptstouseAPIsformaliciousorotherwiseunsanctionedpurposes.A
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯系上傳者。文件的所有權益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網頁內容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
- 4. 未經權益所有人同意不得將文件中的內容挪作商業或盈利用途。
- 5. 人人文庫網僅提供信息存儲空間,僅對用戶上傳內容的表現方式做保護處理,對用戶上傳分享的文檔內容本身不做任何修改或編輯,并不能對任何下載內容負責。
- 6. 下載文件中如有侵權或不適當內容,請與我們聯系,我們立即糾正。
- 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。
最新文檔
- 2025-2030年中國PCB藥水行業發展動向分析及市場發展規模預測研究報告
- 2025至2031年中國立式三槽行業投資前景及策略咨詢研究報告
- 廣東省高州市九校聯考2024年畢業升學考試模擬卷數學卷含解析
- 2025年項目安全培訓考試試題(培優A卷)
- 2025年企業主要負責人安全培訓考試試題(可下載)
- 2025年新進廠員工安全培訓考試試題帶答案(輕巧奪冠)
- 25年公司廠級員工安全培訓考試試題及答案 完整
- 2024-2025工廠安全培訓考試試題答案完整
- 2024-2025廠里安全培訓考試試題(突破訓練)
- 2025班組三級安全培訓考試試題【網校專用】
- MAM860螺桿式空壓機控制器
- 研究思路圖模板
- BowTie模型簡介與應用
- 中國風武術太極拳主題PPT模板
- 項目積分制績效管理辦法優秀資料
- 大商業結構拆改加固專項施工方案(44頁)
- 蘇州園林的藝術特色之拙政園講解
- 給排水專業ppt課件
- Y-Y2系列電機繞組標準數據匯總
- 陡嶺河四級水電站安全生產管理目標管理規定
- 工程機械租賃服務方案及保障措施 (1)
評論
0/150
提交評論